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(54) Optical disk, optical recorder, optical reproducer, cryptocommunication system and 
program license system 



(57) The operating and other procedures of an op- 
tical disk application system of the type for which a net- 
work is used are simplified. Optical disks have auxiliary 
data recording areas, where different IDs for individual 
disks, and/or cipher keys and/or decoding keys for ci- 



phers are recorded in advance in a factory. By using the 
IDs to release the soft ciphers, using the cipher keys 
when sending the ciphers, and using the decoding keys 
when receiving the ciphers, user authorization proce- 
dures are simplified. 
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Description 

TECHNICAL FIELD 

[0001 ] The present invention relates to an optical disk, 
an optical disk system and a cryptocommunication 
method. 

BACKGROUND 

[0002] In recent years, with the increased use of net- 
works such as the Internet and optical CD ROM disks, 
network soft key distribution for optical ROM disks has 
increased. Also, electronic commercial transactions 
have increased. 

[0003] Soft key electronic distribution systems for CD- 
ROM media have been used. In conventional systems, 
it is known to give passwords and decipher the enci- 
phered soft ciphers recorded on the CD-ROMs in ad- 
vance. When CD-ROMs are used, however, it is not pos- 
sible additionally to record on the disks, so that it is not 
possible to individually set IDs for respective disks. 
Therefore, one password would release the ciphers of 
all the disks manufactured from the same original disk. 
For this reason, when CD-ROMs are used, it is neces- 
sary to install the disks' IDs on the hard disks of personal 
computers, or mail to users IDs prepared centrally. 
[0004] In electronic distribution systems with conven- 
tional optical disks and/or optical disk systems, there is 
a need to provide the disks and/or systems with IDs and/ 
or cipher keys. It is an object of the present invention to 
simply provide IDs and cipher keys for ROM disks in 
electronic distribution systems. 

SUMMARY OF THE INVENTION 

[0005] To achieve the objects of the present invention, 
the pit portions of optical disks are provided with an ad- 
ditional recording area or Burst Cutting Area (hereinafter 
abbreviated as BCA) overwritten with a bar code and, 
when the disks are manufactured, IDs differing for each 
disk and, according to the need, cipher keys for com- 
munication and decoding keys for decoding key cipher 
texts for communication, are recorded individually in the 
BCA areas. As a result, when the disks have been dis- 
tributed to users, the user ID numbers, the cipher keys 
for transmission for communication, and the decoding 
keys for reception are distributed automatically to the 
users. It is therefore possible to omit some of the pro- 
cedures that complicate conventional systems. Also, 
cryptocommunication and the identification of disks are 
made possible at the same time. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0006] 

Fig. 1 is a flow chart of an optical disk according to 



an embodiment of the present invention. 
Figs. 2a-c are cross sections and results of trimming 
with a pulse laser according to an embodiment of 
the invention. 

s Figs, 3a-g show the signal reproduction waveforms 
at a trimming portion according to an embodiment 
of the invention. 

Fig. 4 is a block diagram of a reproducer according 
to an embodiment of the invention. 
10 Fig. 5a shows the waveform of a reproduced signal 
at a BCA part according to the invention. Fig. 5b 
shows dimensional relationships of a BCA part ac- 
cording to the invention. 

Fig. 6 shows a method of cryptocommunication and 
15 a cipher key method by means of a password ac- 
cording to an embodiment of the present invention. 
Figs. 7a-c show the format of a BCA according to 
the invention. 

Fig. 8 shows a method of cryptocommunication and 
20 a method of unlocking a cipher with a password ac- 
cording to an embodiment of the invention. 
Fig. 9 shows a procedure for operation of a disk, the 
content part of which may have been licensed, ac- 
cording to an embodiment of the invention. 
25 Fig. 1 0 is a block diagram of an example wherein a 
BCA has been recorded in a RAM disk according to 
an embodiment of the present invention. 
Fig. 1 1 is a block diagram of a method or system for 
prevention of unauthorized copying according to an 
30 embodiment of the invention. 

Fig. 12 is a flow chart depicting preventing unau- 
thorized copying accordingto an embodiment of the 
invention. 

Fig. 13a is a plan view and Fig. 13b is a cross sec- 
35 tion of an optical disk, on the BCA of which an article 
or commodity bar code has been printed, according 
to an embodiment of the invention. Fig. 13c shows 
a method of producing an optical disk according to 
an embodiment of the invention. 
40 Fig. 1 4 is a block diagram of a POS settlement sys- 
tem with a ROM disk having a BCA and a POS ter- 
minal according to an embodiment of the invention. 
Fig. 15 is a flow chart of cipher release in and be- 
tween a press company, a software company and 
45 a selling store, according to an embodiment of the 
present invention. 

Figs. 16 and 17 are flow charts (Parts 1 and 2, re- 
spectively) of steps of enciphering and decoding ci- 
pher data with a disk ID and/or the like accordingto 

so an embodiment of the invention. 

Figs. 18,19 and 20 are flow charts (Parts 1 , 2 and 
3, respectively) of communication cipher key distri- 
bution and cryptocommunication with a BCA ac- 
cording to an embodiment of the invention. 

55 Figs. 21 , 22 and 23 are flow charts (Parts 1 , 2 and 
3, respectively) of an electronic settlement system 
with a BCA according to an embodiment of the 
present invention. 
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Fig. 24 is a block diagram of a method of recording 
and reproducing for recording limitation to one RAM 
disk with a BCA according to an embodiment of the 
invention. 

[0007] At the end of this specification is appended a 
list identifying items corresponding to the reference nu- 
merals used in the aforementioned drawings, that listing 
being in consecutive numerical order of the reference 
numerals. 

DETAILED DESCRIPTION OF THE INVENTION 

[0008] ' The present invention will be described on the 
basis a number of embodiments. Herein, an additional 
recording area using the BCA system is referred to as 
a 'BCA area', and data recorded in a BCA is referred to 
as 'BCA data 1 . In addition, first identification data is re- 
ferred to as 'ID' or 'disk ID 1 . 

[0009] Fig. 1 shows a typical process for producing a 
disk with a BCA. The first cipher key 802, such as a pub- 
lic key, is used by a cipher encoder or scrambler 803 to 
encipher contents 777 into the first cipher 805. An 8-16 
modulator 91 7, such as a mastering unit, modulates the 
first cipher 805. A laser records the modulated signal as 
pits in the first recording area 91 9 of an original disk 800. 
A molding machine 808a uses the original disk 800 to 
mold disk-like transparent substrates (not shown). A re- 
flecting film making machine 808b forms reflecting A! 
films, and makes single-sided disks 809a and 809b 
which are each 0.6 millimeter thick. A bonding machine 
808c laminates these disks together to make a complet- 
ed disk 809. A trimming unit 807 modulates the disk ID 
921, the first cipher decoding key 922, or the second 
cipher key 923 for Internet communication in the second 
recording area 920 of the completed disk 809, with a 
Phase Encoding-Return to Zero (PE-RZ) modulator 
807a, which combines PE modulation and RZ modula- 
tion. A pulse laser 807b effects BCA trimming to make 
a disk 801 with a BCA. Because laminated disks are 
used, it is not possible to alter the BCA inside, and thus 
the completed disk can be used for security. 
[0010] A BCA will next be explained briefly. 
[0011] As shown in Fig. 2a, a pulse laser 808 trims 
the reflecting aluminum films 809 of the two-layer disk 
800 in a BCA to record a stripe-like low reflection part 
810 on the basis of a PE modulating signal. As shown 
in Fig. 2b, BCA stripes are formed on the disk. If the 
stripes are reproduced by a conventional optical head, 
the BCA has no reflecting signal. Therefore, as shown 
in Fig. 2c, gaps 810a, 810b and 810c are produced, 
where the modulating signal is missing. The modulating 
signal is sliced at the first slice level 91 5. But, the gaps 
810a-c have a low signal level, and can therefore be 
sliced easily at the second slice level 91 6. As shown with 
the recorded and reproduced waveforms in Fig. 3, it is 
possible to reproduce the formed bar codes 923a and 
923b by level-slicing them at the second slice level 916 



by a conventional optical pickup as shown in Fig. 3e. As 
shown in Fig. 3f, the waveforms of the codes are shaped 
by a LPF filter so as to PE-RZ decode the codes. As 
shown in Fig. 3g, a digital signal is output. 

5 [0012] With reference to Fig. 4, the decoding opera- 
tion will be explained. A disk 801 with a BCA includes 
two transparent substrates, which are laminated with a 
recording layer 801 a between them. The recording layer 
may either be a single layer 801 a or include two record- 
to ing layers 800a and 800b. If there are two layers, a BCA 
flag 922 is recorded in the control data of the first re- 
cording layer 800a, which is adjacent to the optical head 
6. The flag 922 indicates whether a BCA is recorded or 
not. Because a BCA is recorded in the second layer 

15 800b, the first recording layer 800a is focused on first, 
and the optical head 6 is moved to the radial position of 
the control data 924 in the innermost edge of the second 
recording area 919. The control data is main data, and 
has therefore been Eightto Fourteen Modulation (EFM), 

20 8-15 or 8-1 6 modulated. Only when the BCA flag 922 in 
the control data is 'V, a single/double layer switching 
part 827 focuses on the second recording layer 801 b to 
reproduce the BCA. If the signal is sliced by a level slicer 
590 at the general first slice level 915 as shown in Fig. 

25 2c, it is converted into a digital signal. This signal is de- 
modulated in the first demodulation part by an EFM de- 
modulator 925, an 8-15 modulator-demodulator 926 or 
an 8-16 modulator-demodulator 927. An ECC decoder 
36 corrects errors, if any, and outputs main data. The 

30 control data in the main data is reproduced and only if 
the BCA flag 922 is 1 is the BCA read. When the BCA 
flag 922 is 1 , a CPU 923 orders the single/double layer 
switching part 827 to drive a focus adjustment part 828, 
switching the focus from the first recording layer 801 a 

35 to the second recording layer 801b. At the same time, 
the optical head 6 is moved to the radial position of the 
second recording area 920, that is, for the DVD stand- 
ard, the BCA is recorded between 22.3 and 23.5 mm 
from the inner edge of the control data. Then the BCA 

40 js read. Reproduced in the BCA area is a signal with a 
partially missing envelope as shown in Fig. 2c. By set- 
ting in the second level slicer 929 the second slice level 
916 of which the quantity of light is smaller than that of 
the first slice level 915, it is possible to detect the missing 

45 parts of the reflecting portion of the BCA, and a digital 
signal is output. This signal is PE-RZ demodulated by 
the second demodulation part 930, and ECC decoded 
by an ECC decoder 930b so as to output BCA data, 
which is auxiliary data. Thus, the first demodulator 928, 

so operative according to, 8-16 modulation demodulates 
and reproduces the main data, while the second demod- 
ulation part 930 operative according to PE-RZ modula- 
tion demodulates and reproduces the auxiliary data, that 
is, the BCA data. 

55 [0013] Fig. 5a shows the reproduced waveform be- 
fore passage through a filter 943. Fig, 5b shows the 
working size accuracy (precision) of the slits of the low 
reflecting portion 81 0. It is difficult to make the slit width 
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less than 5mm. In addition, if the data is not recorded 
inward radially from 23.5 mm, it will not be properly re- 
produced. Therefore, for a DVD, because of the limita- 
tions of the shortest recording cycle of 30 mm and the 
maximum radius of 23.5 mm, the maximum capacity af- 
ter formatting is limited to 188 bytes or less. 
[0014] The modulating signal is recorded as pits by 
the 8-1 6 modulation mode, and a high frequency signal 
such as the high frequency signal part 933 in Fig. 5a is 
obtained. However, the BCA signal is a law frequency 
signal like low frequency signal part 932. Thus, if the 
main data complies with the DVD standard, it is a high 
frequency signal 932 which is about 4.5 MHz or less, 
shown in Fig. 5a, and the auxiliary data is a low frequen- 
cy signal 933 which is 8.92 ms in period, that is, about 
100 kHz. It is therefore relatively simple to frequency- 
separate the auxiliary data with a LP F 943. Afrequency- 
separating method 934 as shown in Fig. 4, including the 
LPF 943 can easily separate the two signals. In this 
case, the LPF 943, may be simple in structure. 
[001 5] The foregoing is an outline of the BCA. 
[0016] With reference to Fig. 6, the overall system of 
a cipher software unlatching system, narrowed down to 
the operations of password issue, cryptocommunica- 
tion, and orderer certification, will be described. The 
steps in a press factory are nearly the same as in Fig. 
1 , so the original disk 800 and the completed disk 809 
are not shown. 

[0017] In a press factory 811, a cipher encoder 812 
enciphers the data in the plaintexts 81 0 of the first to the 
'1 - mth contents or scrambles the picture signals therein 
with the first to '1- m'th cipher keys 813, respectively. 
The data or the signals are then recorded on an original 
optical disk 800. Disk-like substrates 809 are pressed 
from the original disk 800. After a reflecting film is formed 
on each substrate 809, the two disk-like substrates are 
laminated together. Thereafter a completed disk 809 is 
made. Recorded in the BCA areas 814 of completed 
disks 809 are different IDs 815 and/or first cipher keys 
816 (public keys) and/or second cipher keys 817 (public 
keys) and second computer connection addresses 818 
so as to make disks 801 each with a BCA. The disks 
801 are distributed to users. 

[0018] The contents of these disks have been enci- 
phered. Therefore, in order to reproduce the contents of 
each of the disks, it is necessary to get a password from 
a password issue center, an electronic shop or a mall, 
by paying a charge. That procedure will be described 
next. 

[0019] In a user's first computer 909, if a reproducer 
819 reproduces a distributed disk 801 with a BCA, a 
BCA reproduction part 820 including a PE-RZ demodu- 
lation part reproduces the data of the ID 81 5, first cipher 
key 816, second cipher key 817 and/or connection ad- 
dress 818. In order to get a password, the connection 
address 81 8 of the second computer 821 a, which is the 
server of a password issue center 821, is accessed 
through a communication part 822 via the I nternet or an- 



other network 823, and the ID is transmitted to the sec- 
ond computer 821a. 

[0020] Here, the cryptocommunication procedure will 
be described. The second computer 821 a receives the 

5 ID 815fromthe user's reproducer 81 9. Then, thesecond 
computer or server 821 a of the password issue center 
821 , which is called a 'mall' or an 'electronic shop' has 
a cipher key database 824. This database contains a 
table of the secret keys which are the decoding keys 
•1Q corresponding to the disks' own IDs or the first cipher 
keys 816 of the IDs, that is the first decoding keys 825 
and the IDs. The server can therefore search for the first 
decoding key 825 based on the received ID. Thus cryp- 
tocommunication is completed from the first computer 

is to the second computer 821a. In this case, if the first 
cipher key and first decoding key are common keys of 
a common key cipher, not of an public key cipher, they 
are the same key. 

[0021 ] If the user wants to use part of the enciphered 

20 contents stored on the disk 801 , which may be 1 ,000 in 
number, for example, the content number 826 of which 
is 'n\ the user sends to the second computer 821a the 
cipher which is the content number 826, that is, 'n' en- 
ciphered with the public key which is the first cipher key 

25 81 6 by the first cipher encoder 827 composed of public 
key cipher functions. The second computer 821a 
searches for the first decoding key 825 for decoding this 
cipher as stated above. It is therefore possible securely 
to convert this cipher into plaintext. Thus, the cipher pro- 

30 tects the privacy of the user's order data. 

[0022] In this case, a signature may be made by 
means of the secret key of the public key cipher as the 
first cipher key 81 6. This method is called 'digital signa- 
ture'. For a detailed explanation of the operation of 'dig- 

35 jtal signature', see, for example, 'Digital Signature of E- 
Mail Security by Bruce Schneider 1995'. 
[0023] Back to the cryptocommunication, the cipher 
is sent through the communication part 822 and network 
823 to the first cipher decoder 827 of the password issue 

40 center 821 . Thus the first cipher decoder 827 decodes 
the cipher by means of the first pair cipher key 825 pair- 
ing with the first cipher key 816. 
[0024] In this case, because only the one disk has the 
public key, it is possible to reject invalid orders from third 

45 parties' disks. In other words, because each disk can be 
certified, it is possible to certify the user who owns the 
disk. It is thus certified that the content number 'n' rep- 
resents a particular individual's order. It is therefore pos- 
sible to exclude invalid orders of third parties. 

so [0025] If the public key 8 1 6 is secret, this method can 
technically be used to send a credit card number, or oth- 
er accounting data which requires high security. Gener- 
ally shops called 'malls' however, do not settle users' 
accounting data electronically, because there is no 

55 guarantee of security. Only the accounting centers 828 
of credit card companies, banks and the like can deal 
with users' financial data. Presently, security standards 
such as secure electronic transaction (SET) are being 
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unified, so it is probable that Rivest, Shamir and Adle- 
man (RSA) 1024 bit public key ciphers will be used and 
the encipherment of financial data will be possible. 
[0026] Next, the accounting data cryptocommunica- 
tion procedure of the present invention will be shown. 
First, by using the second cipher key 817 of the public 
key cipher reproduced by the BCA reproduction part 

820, the second cipher encoder 831 enciphers the ac- 
counting data 830 such as an individual's credit card 
number wittFa public- key system cipher such as RSA. 
The enciphered data is sent from the communication 
part 822 through the second computer 821 to the cipher 
decoder 832 of the third computer 828. In this case, if 
there is a need for digital signature, the secret key 829 
is used as the second cipher key 81 7. 

[0027] Similar to the procedure for the cipher key of 
the second computer 821 a of the password issue center 

821 , it is possible to search the cipher key database 
824a for the second decoding key 829 corresponding to 
the ID or the second cipher key 817. By using this de- 
coding key 829, the second cipher decoder 832 can de- 
code the enciphered accounting data. 

[0028] If a digital signature is made by the second ci- 
pher encoder 831 with the secret key 829, the user's 
signature can be confirmed in the second cipher decod- 
er 832. The accounting center 828 can thus get the us- 
er's credit card number, bank card number, bank pass- 
word, or other accounting data safely even via the Inter- 
net. In open networks such as the Internet, security 
comes into question. By means of this system, however, 
it is possible to make cryptocommunication or certifica- 
tion without fault, because the cipher key (public key) 
for cryptocommunication or the secret key for digital sig- 
nature has been recorded in the BCA. It is therefore pos- 
sible to prevent third parties* unauthorized accounting 
and orders. In addition, because it is possible to use var- 
ious public keys for different disks, that is, different us- 
ers, the confidentiality of communication is improved, 
and the possibility of users' accounting data leaking to 
third parties is reduced. 

[0029] Referring back to Fig. 6, the procedure for is- 
suing a password and the procedure for unlatching with 
a password will be explained. The password issue cent- 
er 821 includes a password generation part 834 with an 
operation expression of public key ciphers etc. Part 834 
generates a password on the basis of three data fields, 
namely, the ID, the content number which the user 
wants to unlatch , and the time data representing the pe- 
riod of use allowed. The generated password is sent to 
the first computer 909, In the simplest structure exam- 
ple, the second computer enciphers with the public key 
for the public key cipher the data which is a mix of the 
decoding key disk ID for releasing the cipher of the '1- 
n'th content and the timing data, prepares at the pass- 
word generation part 834 the '1- nth password 834a 
which is a mix of secret keys for unlatching the enci- 
phered data, and sends this password 834a to the first 
computer 909. The first computer 909 receives the '1- 



nth password, and decodes with the secret key the 
mixed keys of the disk ID, the timing data and the '1- 
nth content. Here, the password operation part 836 
checks the ID 835a of the BCA reproduced from the 
5 disk, the present second timing data 835b, the allowed 
ID 833a and the first timing data 833, and operates to 
determine if they coincide, if they do coincide, they are 
allowed. The '1 - n'th decoding key 836a is output to the 
cipher decoder 837. The cipher 837a of the ' 1 - n'th con- 
to tent is decoded. The '1- n'th content 838 then is^offtputr 
The period of output is limited to the time during which 
the first timing data 833 and second timing data 835b 
coincide. The password operation part 836 of the first 
computer 909 computes three data fields, which are the 
15 id, the password 835 and the timing data from the clock 
836b representing the present time. If the ID and timing 
data are correct, the correct decoding key is output as 
the result of the computation. Therefore, the cipher de- 
coder 837 decodes or descrambles the '1- n'th cipher, 
20 outputting the plaintext data of the '1 - n'th content 838, 
or a descrambled picture signal or audio signal. 
[0030] In this case, if the second timing data 835b of 
the clock 836b does not coincide with the first timing da- 
ta 838 of the password, the cipher is not correctly de- 
25 coded and therefore not reproduced. If timing data is 
used, it can be applied to time-limit type rental systems, 
so that a movie can be reproduced for only three days 
during a rental period. 

[0031] While Fig. 6 shows the procedure in a block 
30 diagram, the flowcharts of the procedure will be ex- 
plained later with reference to Figs. 16-23. 
[0032] Next, the system for the cipher key will be de- 
scribed. By putting, as shown in Fig. 7a, both the first 
cipher key 816 and second cipher key 817 in the BCA, 
35 it is possible to provide two securities, for a commodity 
deal with a shopping mall and an account settlement 
with an 'accounting center*. 

[0033] In this case, with respect to the security with 
an accounting center, it is planned to unify standards 

40 such as SET, so that an RSA 1 024, that is 1 28 byte ci- 
pher key, will be stored in the second cipher key area 
81 7a. Then, because the BCA has only 1 88 bytes, only 
60 bytes remain for the cipher key for dealing with a 
shopping mall. An elliptic function system public key ci- 

45 pher is a cipher function which is 20 bytes in magnitude 
and which has a security level equal to that of 1 28 bytes 
of RSA 1024. 

[0034] An elliptic function is used in the first cipher key 
area 816a of the present invention. An elliptic function 

so can obtain 20 byte security, which is equivalent to RSA 
1024. Therefore, by using an elliptic function, it is pos- 
sible to store both the first cipher key 816 and second 
cipher key 817 in the 188 byte BCA area. 
[0035] By applying a BCA to an optical ROM disk, as 

55 stated before, it is possible to record a disk's own ID 
number, the first and second cipher keys, and a connec- 
tion address. In this case, if the Internet is used, a mall 
is accessed automatically, and merely by distributing 



9 



EP1 168 328 A1 



10 



disks with cipher keys recorded in the BCAs, security is 
possible for distribution of commodities by releasing the 
ciphers of contents, certification and keeping secret pur- 
chase of goods, certification and keeping secret when 
accounts are settled, and the like. Therefore, the meth- s 
od of cryptocommunication of the present invention can, 
without lowering security, omit and rationalize the con- 
ventional operations of using IC cards, floppy disks and/ 
or letters to distribute IDs and/or cipher keys to users. 
This is a great advantager Furthermore, a URL, which." 
is an Internet connection address, is not fixed, but 
changeable. The URL is recorded in the original disk, 
and may be accessed, it is, however, not efficient from 
the points of view of time and cost to vary the original 
disk when a URL change is made. By having recorded 
the changed URL in the BCA, and connecting the BCA 
connection address 931 instead of the connection ad- 
dress of the original disk only if the connection address 
931 is reproduced from the BCA, it is possible to access 
the changed address 931 without preparing a new orig- 
inal disk. 

[0036] Fig. 6 shows a case where the first key of the 
public key and the first key of the public key have been 
recorded in the BCA. 

[0037] Fig. 8 shows two diagrams, in one of which the 
first cipher key 816 of the public key and the third de- 
coding key 817a of the secret key have been recorded 
in the BCA. In the other diagram, a cipher key is pro- 
duced for cryptocommunication. Because the proce- 
dure is similar to that of Fig. 6, only different points will 
be described. First, in a press factory, the first cipher key 
816 and third decoding key 817a are recorded in the 
BCA. The third decoding key 81 7a is used to receive the 
cipher enciphered with the public key from an account- 
ing center. In this case, the reception security is im- 
proved. 

[0038] First, with reference to Fig. 8, a more specific 
example of cryptocommunication where a cipher key is 
generated will be described . Because the first cipher key 
816 is a public key, it is necessary to record the third 
decoding key 817a for reception in the BCA. But the 
BCA has a small capacity. In addition, the public key 
needs processing time. Therefore, in Fig. 8, the cipher 
key generation part 838a of the first computer 836 gen- 
erates a pair of a cipher key and a decoding key for the 
public key or a common key by means of a random 
number generator or the like. An example of the com- 
mon key will be described. A common key K 838 is en- 
ciphered with the first cipher key 81 6 and first cipher en- 
coder 842, and sent to the second computer 821 a. The 
second computer uses the main decoding key 844 to 
convert this cipher into plaintext by means of the main 
cipher decoder 843, obtaining a common key K 838a. 
Because both have the common key K, it is possible to 
make cryptocommunication from a shop to a user, that 
is, from the second computer 821 a to the first computer 
836 by delivering the common key K to the second ci- 
pher encoder 842a and second cipher decoder 847a. 



Naturally, it is also possible to make cryptocommunica- 
tion from the user to the shop, that is, from the first com- 
puter 836 to the second computer 821a by delivering 
the common key K to the second cipher encoder 827a 
and second cipher decoder 845a. The effects of the 
method of recording in the BCA the first cipher key which 
is a public key and generating a cipher key will be stated. 
First, it is necessary only to record the first-cipher key, 
so that the recording of the decoding key can be omitted. 
Therefore, the small capacity of the BCA is not reduced."* 
Second, because the decoding key is recorded in the 
BCA, the security is improved. The common key may 
be changed each time. 

[0039] Because of the short operation time, the 
processing time is short. In this case, if the cipher key 
generation part 838a has generated a pair of a cipher 
key and a decoding key of a public key cipher, not a com- 
mon key, it is possible to make the security higher than 
that with the common key, though the processing time 
is longer, by cryptically sending the cipher key to the sec- 
ond computer 821 a, using this key as the cipher key of 
the second cipher encoder 842a, and using the decod- 
ing key as the decoding key of the second cipher de- 
coder 847. If the performance of the processing CPU is 
high, it is preferable that the public key be used. If a new 
public key is generated, only the public key for the first 
cipher key is recorded in the BCA, so that no problems 
of security arise. No capacity of the BCA is consumed 
either. In addition, because it is not necessary to change 
the cipher key, maintenance is easy. 
[0040] This time, if the common key K 838 is defined 
at the second computer 821a of the password issue 
center 821 , the common key is enciphered with the third 
cipher key 839 by the third cipher encoder 840, and sent 
to the personal computer 836. By using the third decod- 
ing key 837 which is the secret key reproduced from the 
BCA, the third cipher decoder 841 of the personal com- 
puter 836 makes a translation into plaintext to obtain a 
common key K 838b. In this case, because only this user 
has the third decoding key 81 7a which is the secret key, 
it is possible to prevent the contents of communication 
from the center to the user from leaking to third parties. 
The format of this case is shown in Fig. 7b. If an elliptic 
function is used, the third decoding key 839b may be 20 
bytes, and can therefore be stored in the BCA. 
[0041] Fig. 9 shows a system for reducing the costs 
of preparing an original disk by using a BCA in an enci- 
pherment disk. 

[0042] If there is a number 'n' of, for example, 1 ,090 
plaintext contents 850, the cipher encoder 852 enci- 
phers them with the first to the 'm'th cipher keys 851 , 
respectively. The ciphered first to the 'mth contents 853 , 
the decoding program 854a forthe firstto 'rrVth contents, 
and the second cipher decoder 861 a, which is the pro- 
gram for decoding the second cipher, are recorded as 
pits in an original disk and then molded into a substrate, 
and a reflecting film is formed. Thereafter, two sub- 
strates are laminated together to complete an optical 
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disk 801 . The second cipher encoder 860 enciphers the 
decoding data 854 such as the password for unlatching 
the '1- n'th, for example, the first content, and the de- 
coding key. Recorded in advance in the BCA of the first 
disk are the disk's own identification data, that is, the ID 
855 and the second cipher which is the enciphered de- 
coding data. Then, in the reproducer, the second cipher 
is reproduced from the BCA reproduction part 820. The 
second cipher decoder 861 is reproduced from the data 
reproduction part 862, which reproduces the ordinary : 
recorded data other than the BCA. Therefore, the sec- 
ond cipher decoder 861 is used to decode the second 
cipher, reproducing the ID 855a and '1- nth password 
854a. The cipher decoder 855b uses the decoding pro- 
gram 854a for the '1- n'th content reproduced from the 
data reproduction part 862, and uses the ID 855a and 
password 854a to decode the first cipher, obtaining the 
plaintext 855c of the '1- nth content and the identifica- 
tion data 855a. For a personal computer, the content 
and ID are recorded on the hard disk 863. This ID 855a 
checks to determine if there is no same ID on a network 
when the program has started, and the ID 855a actuates 
the network protection. It is therefore possible to prevent 
the software from being illegally installed. This is yet an- 
other advantage of the present invention. For example, 
if 1,000 enciphered contents are stored and decoding 
data such as a password corresponding to a particular 
software application are recorded on an original disk, 
this is equivalent in substance to the preparation of an 
optical ROM disk for a particular content. It is possible 
to obtain with one original disk the same effect as in the 
case where original disks for 1 ,000 kinds of software are 
cut. It is therefore possible to reduce the costs and time 
or labor for preparing an original disk. 
[0043] Described with reference to Fig. 1 0 is the pro- 
cedure for enciphering contents with a BCA when re- 
cording them on a RAM disk. First, the BCA reproduc- 
tion part 820 reproduces the BCA data from the RAM 
disk 856, outputs an ID 857, and sends it through the 
interfaces 858a and 858b and the network to the ehci- 
pherment part 859. The cipher encoder 861 of the en- 
cipherment part 859 enciphers contents 860 or scram- 
bles picture and sound signals by means of a key in- 
cluding the ID 857. The enciphered contents are sent to 
the recorder/reproducer, where the recording circuit 862 
records them on the RAM disk 856. 
[0044] Next, when this signal is reproduced, the data 
reproduction part 865 demodulates the main data to re- 
produce the enciphered signal, and the cipher decoder 
B63 decodes the reproduced signal. The BCA reproduc- 
tion part 820 reproduces data containing the I D 857 from 
the BCA area of the RAM disk 856. The reproduced data 
is sent as part of the key to the cipher decoder 863. If 
normally copied, the cipher key recorded in the RAM 
disk is a normal disk ID. The RAM disk ID, also, is a 
normal disk ID. Therefore, the cipher is decoded or de- 
scrambled to output the plaintext 864 of the *1- n'th con- 
tent. For a graphic data, for example, the MPEG signal 



is extended to obtain a picture signal. 
[0045] In this case, the disk ID is the key for encipher- 
ment. Because each disk is unique, it can be copied on 
only one RAM disk. 

5 [0046] If a disk ID is copied from a normal RAM disk 
to another RAM disk, ID1 which is the original normal 
disk ID differs from ID2 which is the disk ID of the other, 
unauthorized, RAM disk. If the BCA of the unauthorized 
RAM disk is reproduced, ID2 is reproduced. The con- 

1 o~ stents* are ciphered with ID1, however, so" that, even if 
unlatching is attempted with ID2 at the cipher decoder 
863, the cipher is not decoded because the key differs. 
Thus, the signal of the illegally copied RAM disk is not 
output, so that the copyright is protected. The present 

15 invention uses a disk ID system. Therefore, by repro- 
ducing with any drive the normal RAM disk copied nor- 
mally only once, it is possible to unlatch the cipher. The 
encipherment part 859 may, in place of the center, be 
an IC card with a cipher encoder. 

20 [0047] With reference to the block diagram of Fig. 11 
and the flowchart of Fig. 12, the method of preventing 
copying will be described. At Step 877a, the installation 
program is actuated. At Step 877b, the BCA reproduc- 
tion part 820 outputs the ID of the auxiliary data from the 

25 laminated optical disk 801. At Step 877d, the data re- 
production part 865 reproduces the contents and net- 
work check software 870 from the main data. The con- 
tents and the ID 857 are recorded on the HDD 872. At 
Step 877c, the I D 857 is encoded with a particular secret 

30 cipher so as not to be altered illegally, and is recorded 
as a soft ID in the HDD 857. Thus, the soft ID 873 is 
recorded together with the contents on the HDD 872 of 
a personal computer 876. Here described is the case 
where the program is started at Step 877f of Fig. 12. 

35 When the program is started, the procedure goes to 
Step 877g, where the soft ID 873 of the HDD 872 is re- 
produced, and the soft ID 873a in the HDD 872a of an- 
other personal computer 876a on a network 876 is 
checked through the interface 875. At Step 877h, a 

40 check is made to judge if the soft ID 873a of the other 
personal computer and the soft ID 873 are the same 
number. If so, the procedure, goes to Step 877j, where 
the start of the program of the personal computer 876 
is stopped or a warning message is displayed on the 

45 screen. 

[0048] If the soft ID 873a of the other personal com- 
puter and the soft ID 873 are different, the contents are 
not installed in the plurality of the computers on the net- 
work. It is therefore decided that there are no illegal cop- 

50 ies. Then the procedure goes to Step 877k, where the 
start of the program is permitted. In this case, the soft 
ID 873 may be sent to other personal computers through 
the network. This personal computer can detect illegal 
installation by checking duplication of the soft IDs of the 

55 personal computers. If there is illegal installation, a 
warning message is sent to the appropriate personal 
computer/s. 

[0049] Thus, by recording the ID in the BCA, and re- 
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cording the network check program in the pit recording 
area, it is possible to prevent multiple installation of the 
software of the same ID on the same network. In this 
way, simple protection from illegal copies is realized. 
[0050] By, as shown in Fig. 1 3a, applying a write (writ- 
ing) layer 850 of white material, on which characters or 
the like can be written, it is possible to not only print char- 
acters and write a password or the like with a pen, but 
also preventthe substrates of the optical diskfrom being 
damaged because the write layer 850. thicken s-. T e hetiisk 
ID 815, which is part of the BCA data 849 recorded by 
trimming in the BCA area 801a above the write layer 
850, is translated into plaintext. The plaintext is convert- 
ed into alphanumeric characters 851. By printing the 
characters 851 and general barcode 852, it is possible 
for the store and/or user to confirm and/or check the ID 
with a POS bar code reader and/or visually, without 
reading the BCA with a reproducer. The visible ID is not 
necessary if the user informs the center of the ID through 
a personal computer. If, however, the user communi- 
cates the ID aurally by telephone to the center, it is pos- 
sible to inform the center of the ID without inserting the 
disk in a personal computer, by printing the ID identical 
with the BCA ID in visible form on the disk, because the 
user can visually read the ID. With reference to the flow- 
chart of Fig. 13c, the steps for making an optical disk 
will be explained. At Step 853d, disks are molded from 
an original disk, and substrates in which pits have been 
recorded are made. At Step 853e, aluminum reflection 
films are made. At Step 853f, two disk substrates are 
laminated with an adhesive so that a DVD disk or the 
like is completed. At Step 853g, a label is printed by 
screen printing on one side of each disk. At this step, 
the original disk's own identification data is recorded in 
the form of a bar code. At Step 853h, an ID and/or other 
identification information is printed in the format of a bar 
code for POS on each disk by an ink jet bar code printer 
or a thermal-transcription bar code printer or the like. At 
Step 853i, the bar code is read by a bar code reader. At 
Step 853j, a BCA data corresponding to the identifica- 
tion data is recorded in the second recording area of the 
disk. According to this method of manufacturing, the 
BCA data is recorded after all the steps including the 
POS barcode and excluding the BCA are finished and 
then the disk identification data is confirmed. The BCA 
can be read only by reproducing the disk, but the POS 
bar code, which is low in density, can be read by a com- 
mercial bar code reader. The disk ID can be discriminat- 
ed at every step in the factory. By recording the disk ID 
in the form of a POS bar code before the BCA trimming, 
it is possible to almost completely prevent the BCA and 
the POS barcode from being illegally recorded. 
[0051] The method of using a BCA will be stated by 
which secondary recording and tertiary recording, too, 
can be made by the BCA method. As shown at Process 
2 in Fig. 15, a software maker can also secondarily 
record a pirated edition prevention mark and a check 
cipher. At Process 2, disks 944b may be made in which 



different ID numbers and/or cipher keys for secret com- 
munication with users have been recorded. It is possible 
to replay the disks 944c and 944d without entering the 
passwords. 

5 [0052] For another application, at Process 3, an enci- 
phered or scrambled MPEG picture signal and/or other 
data is recorded on a disk 944e. The operation of the 
MPEG scramble will not be explained in detail. At Proc- 
ess 4, the software company makes a disk 844f in which 

10 a sub-public key- for decoding the ID number and the 
scramble release data have been BCA-recorded sec- 
ondarily. It is not possible to replay this disk solely. At 
Process 5, the selling store, after receiving the money 
for the disk, makes a password with the sub-secret key 

15 paired with the sub-public key, and records it tertiarily 
on the disk. Alternatively, a receipt on which the pass- 
word has been printed is given to the user. Thereafter, 
the password has been recorded in the disk 844g, so 
that the user can replay it. This method prevents a disk 

20 not paid for from being replayed normally, even if the 
disk is shoplifted, because the scramble of the image is 
not released. As a result, shoplifting renders a useless 
product and thus decreases. 

[0053] If a password is BCA-recorded permanently in 

25 a rental video store or another store, a shoplifted disk 
can be used. In this case, as shown at Process 6, the 
BCA is read by a POS bar code reader in the store. A 
password for releasing the scramble is issued at Step 
951g, printed on the receipt at Step 951 i, and handed 

30 to the customer at Step 951j. The customer enters, at 
Step 951 k, the password on the receipt in a player with 
numeric keys at his/her house. At Step 951 p, the disk is 
replayed for a predetermined number of days. If a user 
rents a disk, given a password for only part of the soft- 

35 ware in the disk, and when he/she wants to view other 
part of the software, he/she can replay it by being in- 
formed of the password for this part by telephone at Step 
951 u, and entering the password at Step 951 k. A rental 
video store has been shown as an example. When a 

40 piece of enciphered software for a personal computer is 
sold at a personal computer software store, the pass- 
word may be printed by a POS terminal and handed to 
the buyer. 

[0054] The operations of Processes 5 and 6 in Fig. 1 5 
45 at a selling or rental store will be explained in more detail 
with reference to Fig. 14. A selling store receives an en- 
ciphered and/or scrambled disk 944f from the software 
maker. After the store confirms its receipt of money from 
a user, it sends from its bar code recorder 945 the ID 
50 number of the disk 944f and the data on the sub-public 
key via its POS terminal 946 to the password issue cent- 
er 952. For a small-scale system, the password issue 
center, that is, the system including the sub-secret key 
of the sub-public key may exist in the POS terminal. The 
55 password issue center inputs the disk ID number and 
the time data at Step 951 q, computes them at Step 
951s, enciphers them with the sub-secret key at Step 
951t, issues a password at Step 951 g, and sends it 
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through the network 948 and POS terminal 846 to the 
BCA bar code recorder 945. Then the recorded disk 
944g is handed to the customer. The disk 944g can be 
replayed as it is. 

[0055] For rental stores and personal computer soft- 
ware stores, ROM disks 944f the ciphers and/or scram- 
bles of which have not been released are displayed in 
stores. If a customer designates a particular ROM disk 
944f , the bar code of the reflection layer by the non-re- 
flection part 915 of the disk 944f is read; so . that the disk 
ID number is read, by a person holding a circular bar 
code reader 950 with an integrated rotary optical head 
953 for spirally scanning, and pressing it on the center 
of disk 900 in a transparent case. By printing the com- 
modity bar code of the disk ID as shown at 852 in Fig. 
13, it is possible to read the code with an ordinary POS 
terminal bar code reader. Alternatively, the pressed cir- 
cular bar code recorded in advance on the original disk 
may be read. These data including the disk ID are proc- 
essed by the POS terminal 946. The charge is settled 
by credit card. The password issue center issues, at 
Step 951 g, a password associated with the ID number 
as stated above. For rental use, a password is made by 
enciphering the disk ID number with date data added as 
used at Step 951 r in order to limit the number of days 
for which the disk can be replayed. For this password, 
the disk can operate on only particular days. It is there- 
fore possible to set a rental period, which may be three 
days, for instance, in the password. 
[0056] The thus issued password for descrambling is 
printed at Step 951 i together with the date of rent, the 
date of return and the rental title charge on the receipt 
949, and handed with the disk to the customer. The cus- 
tomer takes the disk 944j and receipt 949 home. At step 
951k, the customer enters the password with the ten- 
key input part 954 of the first computer 909 in Fig. 6, so 
that the password 835 is computed with the ID number 
835a and input into the cipher decoder 837. Then, the 
password is converted into plaintext by means of the de- 
coding key. Only if the password is correct, will the ci- 
pher decoder 837 descramble the program data and 
supply image output. 

[0057] In this case, if the password includes time data, 
the data is checked with the date data of the clock part 
836b. The password is descrambled for the coincident 
dates. The inputted password is stored together with the 
associated ID number in the nonvolatile memory 755a 
of the memory 755. Once the user enters the password, 
it is descrambled without being entered again. It is thus 
possible to lock and unlock the disk electronically in dis- 
tribution. 

[0058] With reference to Fig. 16, the method of de- 
coding the software of a disk which has been recorded 
as cipher data will be explained in detail. 
[0059] Step (Process) 865 represents the overall flow 
of distribution of cipher data and individual IDs to users. 
First, at Step 865a, a number , m' of data enciphered with 
the secret first cipher key and a program for decoding 



the enciphered data are recorded in the ROM area of 
an original disk. At Step 865b, substrates are molded 
from the original disk, and then the substrates with re- 
flection films added thereto are laminated in pairs to 

5 make completed ROM disks. At Step 865c, the decod- 
ing data (the disk identification data different for the 
pressed disks, respectively, and/or the decoding key for 
the cipher data) necessary to decode the enciphered 
data is recorded in the auxiliary recording area (called 

10 ~ BCA), which cannot be rewritten, of each completed 
disk by a method of modulation different from that for 
the ROM area. At Step 865d, a user replays the distrib- 
uted disk, selects a desired enciphered data 'n\ and 
starts the decoding process. At Step 865e, the user's 

15 first computer reproduces the enciphered data and the 
decoding program from the ROM area, and reads the 
decoding data from the auxiliary recording area (BCA). 
If, at Step 865f f the second decoding data is not ob- 
tained on-line, then, at Step 871 a of Fig. 1 7, the ID and/ 

20 or other auxiliary decoding data are displayed on the 
screen. At Step 871b, the user obtains the second de- 
coding data such as the password associated with the 
ID, and enters it into the first computer. Carried out at 
Step 871 c is a particular operation of an open-key cipher 

25 function with the disk identification data, the second de- 
coding data, and the enciphered data 'n' If, at Step 871 d, 
the result is correct, then, at Step 871f, the '1 - n'th data 
is translated into plaintext, so that the user can make 
the software of the data 'n' operate. 

30 [0060] Next, with reference to the flowchart of Fig. 18, 
the method of cryptocommunication essential to the In- 
ternet and/or the like using a BCA will be described. Step 
(Process) 868 is the routine of the method of distributing 
the communication program and cipher key for commu- 

35 nication to users. First, at Step 868a, at least the com- 
munication program and/or connection data are record- 
ed in the ROM area of an original disk. At Step 868b, 
substrates are molded from the original disk, and the 
substrates are laminated in pairs to make completed 

40 ROM disks. At Step 868c, the disk identification data dif- 
ferent for the pressed disks, respectively, and the cipher 
key for cryptocommunication are recorded in the non- 
rewritable auxiliary recording area (BCA) of each com- 
pleted disk. According to circumstances, the connection 

45 address of the second computer and/or the decoding 
key for cryptocommunication is recorded by a method 
of modulation different from that for the ROM area. At 
Step 868d, the user's first computer reproduces the 
communication program and the decoding program 

50 from the ROM area, and reads the disk identification da- 
ta and the cipher key for communication from the auxil- 
iary recording area. The process continues at Fig. 19, 
At Step 867a, it is judged if there is a conn ection address 
in the BCA area. If yes, the second computer is ac- 

55 cessed, at Step 867b, on the basis of the connection 
address such as the BCA area URL. If there is no con- 
nection address, the computer of the connection ad- 
dress in the ROM area is accessed at Step 867c. At Step 
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867d, the transmit data is input. At Step 867e, it is judged 
if there is a cipher key for cryptocommunication in the 
BCA area. If so, the transmit data is enciphered, at step 
867g, with the cipher key for cryptocommunication in the 
BCA area to make a third cipher. If not, the data is en- 
ciphered, at step 867f, with the cipher key for crypto- 
communication in the ROM area or HDD to make a third 
cipher. 

[0061] In Fig. 20, Step (Process) 869 represents the 
routine of generating a decoding key-for the cipher re^- 
ceived from the second computer 910. First, at Step 
869a, the first computer judges if a decoding key for 
communication is necessary. If necessary, the process 
goes to Step 869b, where a check is made to judge if 
there is a decoding key for communication in the BCA. 
If there is no decoding key, the process goes to Step 
869c, where a pair of second cipher key for communi- 
cation and second decoding key for communication is 
generated newly with the program for generating the ci- 
pher key/decoding key reproduced from the ROM area, 
by the user keying or with data from a random number 
generator and the second encoder reproduced from the 
ROM area. At Step 869d, a fourth cipher is made which 
is the second cipher key for communication and/or the 
user data enciphered with the cipher key for communi- 
cation recorded in the BCA and the encipherment soft- 
ware reproduced from the ROM area. At Step 869e, the 
fourth cipher and the disk identification data and/or the 
user address are sent to the second computer of the 
connection address reproduced from the disk. The proc- 
ess of the second computer includes Step 869f, where 
the fourth cipher, the disk identification data and the user 
address are received. At Step 869g, the decoding key 
for communication paired with the disk identification da- 
ta is selected from the decoding key data base, and the 
fourth cipher is decoded with the selected key to obtain 
the plaintext of the second cipher key for communica- 
tion. At Step 869h, the fifth cipher which is the server 
data including part of the user data and enciphered with 
the second cipher key for communication is sent through 
the Internet 908 to the first computer. At Step 869i, the 
fifth cipher (and disk identification data) is (are) re- 
ceived, and decoded with the second decoding key for 
communication and the decoding function recorded in 
the ROM area to obtain the plaintext of the server data. 
In this way, the method of Step 869 in Fig. 20 realizes 
two-way cryptocommunication between the first and 
second computers. 

[0062] In Fig. 21 , Step (Process) 870 represents the 
routine of receiving accounting data. If, at Step 870a, 
the accounting data is input, the third cipher key of the 
public key cipher for accounting communication is re- 
quested from the second computer. At Step 870b, the 
second computer requests the third cipher key from the 
third computer. The third computer 91 1 sends the ID and 
third cipher key to the second computer, though the ex- 
change step is omitted. At Step 870c, the second com- 
puter receives the ID and third cipher key. At Step 870e, 



the seventh cipher which is the third cipher key enci- 
phered with the second cipher key for communication 
and/or the like is sent to the first computer. The first com- 
puter receives the seventh cipher at Step 870f. At Step 

5 870g, the received seventh cipher is decoded with the 
second decoding key for communication so as to obtain 
the third cipher key (public key of public key function). 
At Step 870h, the third cipher key is recorded on the 
HDD according to circumstances. This is used for the 

10 next-transmission. At Step 870i, it is judged if a credit 
card number, a password for settlement and/or other se- 
cret accounting data are input. At Step 870j, the eighth 
cipher which is the accounting data enciphered with the 
third cipher key is sent via the second computer to the 

15 third computer. At Step 870k, the second computer re- 
ceives the eighth cipher and transfers it again to the third 
computer. Only the third computer 912, which is, for ex- 
ample, at a banking institution, has the decoding key for 
the third cipher, so that the second computer, which is 

20 an electronic store, cannot decode it. At Step 870m, the 
third computer determines from the cipher key data 
base the third decoding key associated with the third ci- 
pher key by using identification data on the disk and/or 
the like, and decodes the eighth cipher with the third de- 

25 coding key, which is the secret key of the public key ci- 
pher, so as to obtain the plaintext of the accounting data. 
At Step 870n, a check is made to judge from the user's 
credit data, deposit remains and/or other banking data 
whether the money can be received. At Step 870p, the 

30 third computer informs the second computer of the re- 
sult of the search. The second computer, which is an 
electronic store, judges at Step 870q if the money can 
be received. If not, the process goes to Step 870r, where 
the article and/or the key for decoding the cipher soft- 

35 ware is not sent. If the money can be received, for a key 
provision system as shown in Fig. 1 6, the process goes 
to Step 870s, where the cipher software decoding key, 
that is, the article is sent via Internet 908 to the user's 
second computer. At Step 870t, the first computer re- 

40 ceives the cipher software decoding key. At Step 870u, 
the cipher of the '1 - n'th enciphered software is released. 
At Step 870w, the plaintext of the software is obtained. 
In this way, a content key provision system is realized. 
[0063] The method of Step 870 in Fig. 21 requests the 

45 third computer, that is, a banking institution to issue ac- 
cording to the need a public key for the third cipher key, 
which needs high security for accounting data. It is not 
necessary to record the public key in the BCA in ad- 
vance. It is therefore possible to use for the third cipher 

50 key a stronger RSA system cipher key of 256 bytes of 
RSA2048 without consuming the BCA capacity. Further; 
because there is no need for recording in the BCAs of 
all disks in advance, the total of the issued third cipher 
keys decreases, and the computer CPU time taken to 

55 compute the third cipher keys decreases. In addition, 
because the third ciphers do not exist in the BCAs, they 
are not opened, so that the security is improved. In this 
case, the role of the BCA is, as shown in Figs. 19 and 
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20, to record the identification data of a secret commu- 
nication disk by means of the cipher key of the RSA1 024 
grade. Only one BCA disk realizes cryptocommunica- 
tion with the second computer, so that the effect is high. 
[0064] With reference to Fig. 22, Step (Process) 872 
of cryptocommunication in a case where the cipher key 
and the decoding key both for communication have 
been recorded in the BCA will be described. At Step 
872g, the first computer 909 sends to the second com- 
puter 910 the ninth cipher which is the user .data enck 
phered with the cipher key for communication repro- 
duced from the BCA, the basic identification data re- 
corded in the ROM area when the original disk was 
made, and the disk identification data recorded in the 
BCA area. At Step 872b, the second computer receives 
the ninth cipher, the disk identification data and the basic 
identification data. At Step 872c, the decoding key for 
communication paired with the disk identification data 
from the decoding key data base is retrieved, and the 
ninth cipher is decoded to obtain the plaintext of the user 
data. At Step 872e, the second cipher key associated 
with the disk identification data is selected from the ci- 
pher key data base. In addition, the second computer 
sends to the first computer the tenth cipher which is the 
server data enciphered with this second cipher and the 
third cipher key received from the third computer by the 
procedure described in Fig. 21 and enciphered with the 
second cipher. The first computer receives the tenth ci- 
pher at Step 872f. At Step 872g, the received seventh 
cipher is decoded with the second decoding key for 
communication recorded in the BCA, to obtain the plain- 
text of the server data and the third cipher key (public 
key of the public key function) . At Step 872h, according 
to the need, the third cipher key is recorded on the HDD. 
At Step 872i, it is judged if the accounting data is input. 
If so, the process goes to Step 872j, where the eleventh 
cipher which is the accounting data enciphered with the 
third cipher key is sent via the second computer to the 
third computer. At Step 872m, the second computer 
sends the eleventh cipher again to the third computer. 
At Step 872m, the third computer determines from the 
third cipher key data base, the third cipher key paired 
with the identification data on the disk and/or the like, 
and decodes the eleventh cipher to obtain the plaintext 
of the accounting data. At Step 872n, the possibility that 
the money can be received from the user is checked. At 
Step 872p, the result of the search is sent to the second 
computer. At Step 872q, the second computer checks 
to judge if the money can be received from the user. If 
so, for a key provision system as shown in Fig. 16, the 
process goes to Step 872s, where the cipher software 
decoding key, that is, an article is sent via the Internet 
to the user's second computer. At Step 872t, the first 
computer receives the cipher software decoding key. At 
Step 872u, the cipher of the '1 - n'th enciphered software 
is released. At Step 872w, the plaintext of the software 
is obtained. In this way, a content key provision system 
is realized. 



[0065] The merit of the effect of the method of Step 
872 in Fig. 22 is that, because both the cipher key and 
the decoding key are recorded in the BCA area, it is not 
necessary to transmit the decoding key and/or the ci- 

5 pher key necessary for reception from the second com- 
puter. The maximum BCA capacity is 1 88 bytes. A public 
key and/or another cipher function needs only 128 
bytes, and can therefore be recorded. Further, it is pos- 
sible to bidirectionally encipher the grade in RSA512. 

10 : Because seven or eight elliptic functions can, as shown-* 
in Fig. 7, be stored, elliptic functions are more effective. 
[0066] With reference to Fig. 23, the operation and ef- 
fect in a case where the first and third cipher keys have 
been recorded in the BCA in advance will be explained. 

15 Because Steps 872a through 872w in Fig. 22 are nearly 
identical with Steps 873a through 873w in Fig. 23, only 
the different steps will be explained. 
[0067] The third cipher key for protecting the security 
for accounting data and/or other banking data has been 

20 recorded in the BCA. Therefore, at Step 873e, the sec- 
ond and third computers do not need to generate and 
send the third cipher key. At Steps 873e, 873f and 873g, 
the twelfth cipher is sent and received. At Step 873j, the 
third cipher key is read from the BCA area, and the us- 

25 er's accounting data is sent via the second computer to 
the third computer. The method of Fig. 23 does not need 
the third cipher key generated, sent and received at all, 
so that the procedure is simple. 
[0068] In the case of electronic settlement systems, 

30 in general, there are a plurality of accounting centers 
representative of credit companies. Therefore, natural- 
ly, there is a need for a plurality of third cipher keys, 
which are public keys. As explained with reference to 
Fig. 7b, there is a need for an RSA1 024 grade or more, 

35 that is, 128 bytes or more if an RSA cipher function is 
used. The third cipher key 81 7b can therefore enter only 
one place of 188 bytes of the BCA. However, elliptic- 
function cipher keys (elliptic ciphers) which have ap- 
peared in recentyears give, with small capacity, security 

40 equivalent to that of RSA. In recentyears, RSA function 
RSA1 024 has been the lowest standard of banking data 
security. While an RSA function needs 128 bytes, it is 
said that an elliptic cipher needs only about 20 through 
22 bytes for equivalent security. Therefore, as shown in 

45 Fig. 7c, it is possible to store in the BCA seven, eight or 
fewer third ciphers which deal with banking data. The 
use of elliptic functions realizes a BCA-application elec- 
tronic settlement system which can deal with a plurality 
of essential banking centers. Explanation has been 

so made, concentrated on the third cipher, but even if an 
elliptic cipher is used for the public key for the first cipher 
key, its effect is similar because high security is kept in 
relation to a plurality of electronic stores. 
[0069] With reference to Fig. 24, the RAM disk record- 

55 er/reproducer with a BCA explained with reference to 
Fig. 10 will be described in more detail. As an embodi- 
ment, the procedure for recording in a RAM disk in a so- 
called pay-per-view system will be described. First, with 
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its program transmitter 883, a CATV company or anoth- 
er software company enciph ers movie software or other 
contents 880 by using the first cipher key 882 in the first 
encoder to generate a first cipher 900, and sends this 
cipher to a decoder 886 such as each user's CATV de- 5 
coder. If the decoder 886 sends a request for a particular 
program through a network to a key issue center 884, 
the center sends the first decoding data 885a to the first 
decoding part 887 of the first decoder 886. The first de- 
coding data- 885a is- a particular piecaof software such 10 
as the scramble release key for the particular decoder 
system ID number and particular timing data 903, and 
includes a recording permission card 901 for a RAM 
disk. The first decoding part 887 decodes the first cipher 
900 with the system lD888andfirstdecodingdata885a. 1$ 
In the case of a picture signal, the signal descrambled 
once and scrambled further with another cipher to pro- 
tect the signal from being copied is output from the third 
cipher output part 889. The picture can be viewed and 
listened to on a general TV 899, though the original sig- 20 
nal is guarded from being copied. If the recording per- 
mission code 901 a is NO, it is not possible to record in 
a RAM disk 894. If OK, however, it is possible to record 
in only one RAM disk 894. This method will be ex- 
plained. 25 
[0070] In the decoder 886, an IC card 902 is inserted, 
and the BCA reproduction part 895 reads the BCA of 
the RAM disk 894 in a RAM recorder. Then the disk ID 
905 is sent to the IC card 902. The IC card 902 checks 
the recording permission code 901a and the present 30 
time data 904 obtained from the disk IC 905 and the de- 
coder 886, and makes a two-way hand-shake type copy 
check 907 with the third cipher output part 889. If the 
recording permission code and copy checks are OK, the 
second auxiliary encoder 891 in the IC card 902 issues 35 
a second cipher key 906. The second encoder 890 en- 
ciphers the third cipher again to generate a second ci- 
pher, which is the contents 880 enciphered with the disk 
ID of a particular disk. The second cipher is sent to the 
RAM recorder 892, where it is 8-1 5 or 8-1 6 modulated *o 
by the first modulation part in the recording means 893. 
The second cipher 912 is recorded in the first recording 
area 894a of the RAM disk 894 by means of a laser. In 
this way, the data of the RAM disk 894 is enciphered 
with the particular disk ID number. 4 $ 
[0071] When the reproduction signals in this disk are 
8-16 demodulated by the first modulation 896a using a 
normal reproduction means 896, the second cipher of 
the contents is output. The second decoder 897 has 
second decoding keys 898a, 898b and 898c, which cor- 50 
respond to the cipher keys of the IC cards different for 
CATV stations or other program supply companies, re- 
spectively In this case, the decoding key identification 
data of the decoder 868 or IC card 886 has been record- 
ed in the first recording area 894a. The reproducer reads 55 
the decoding key identification data 913 from the first 
recording area 894a. The decoding key selection means 
91 4 automatically selects out of the decoding keys 898a 
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through 898z the second decoding key 898a corre- 
sponding to each cipher key. With the disk ID 905a as 
a key, the second decoder 897 decodes the second ci- 
pher. An IC card having a particular decoding key might 
be used. In the case of an image, it is possible to obtain 
a normal image descrambled at a TV 899a. 
[0072] In the system of Fig. 24, a disk ID 905 is sent 
to the IC card inserted into the decoder in each user's 
home to encipher picture image data and/or the like. It 
is therefore not necessary forthe software company'883* 
to individually change the cipher of the contents for dis- 
tribution to users. Consequently, when broadcasting 
scrambled pay-per-view images to a great number of 
viewers as is the case with satellite broadcasting and 
CATV, it is possible to permit recording in only one RAM 
disk per user. 

[0073] If, at the same time when recording is made in 
a disk in the system of Fig. 24, an attempt is made to 
illegally copy, that is, record in a second disk, that is, a 
RAM disk of another disk ID, it is not possible to alter 
the disk ID because two-layer disks are used for BCAs. 
Therefore, unauthorized copying in the second.disk at 
the same time is prevented. It can be considered that 
during another time period, a simulated or dummy re- 
cording permission code 901a and/or a third cipher is 
sent to the decoder and/or IC card and data is recorded 
in a RAM disk of another disk ID. Even against such un- 
authorized practice, the decoder time data control part 

902 in the IC card compares the time of the timing data 

903 of the key issue center 884 and/or the time of the 
time data of the contents and the present time of the 
time data part 904a in the decoder to judge if they coin- 
cide. If so (OK), the IC card 902 permits the encipher- 
ment of the second cipher computing unit 990. 
[0074] In this case, a hand-shake type time check 
method might be used which makes the second encoder 
890 and first decoder 887 exchange check data bidirec- 
tionally 

[0075] In the case of the hand-shake type, the second 
cipher computing unit 890 including the IC card, the first 
decoding part 887, and the third cipher part 889 confirm 
the cipher data bidirectionally. This prevents the unau- 
thorized copying during the other time periods outside 
the time when the contents are sent. 
[0076] In this way, in each user's decoder 886, the 
software company's contents are recorded in only one 
RAM disk 894 for each particular disk ID. This disk can 
be reproduced by any RAM disk reproducer. Even in the 
case of recording in a RAM disk by the method of Fig. 
24, the software company's copyright is protected. Al- 
thoughthe encipherment and decoding have been ex- 
plained with reference to the cipher encoders and cipher 
decoders, respectively, in the detailed description of the 
drawings, the cipher algorithm and the decoding algo- 
rithm are practically used with programs in a CPU. 
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INDUSTRIAL APPLICABILITY 840 

841 

[0077] By thus recording in advance the cipher key 842 
and/or the decoding key for an ID and/or a cipher in the 843 
BCA area of an optical disk, it is possible to release the 5 844: 
cipher of enciphered contents by a simpler procedure, 845 
In addition, the secrecy of communication is realized 846: 
without a conventional procedure for registration. By 847 
storing a network check program in contents, it is pos- 849 
sible to prevent pieces of software of the sameFt&srvthe-r^- 850 
same network being installed. Thus, there are various 851 
effects on the improvement of security. 852 
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area comprises circumferentially arranged multiple 
stripe patterns each stripe of which extends along 
a radius of the disk; 

and in that said disk further comprises 
an auxiliary information presence indicator 5 
(922) indicating the presence of said auxiliary infor- 
mation. 

The optical disk of claim 1 , wherein said second re- 
cording area is disposed within said first recording^ Kl 
area. 
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Fig. 12 
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Fig. 17 
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